UPDATE: I forgot to note that RIM will probably issue a OS fix or update for this issue. Problem is RIM has shot themselves in the foot in this regard and will probably have to wait for each carrier to certify the OS before they can release the potentially critical OS update. I know RIM has been working on being able to do smaller OS updates without a full update but they have yet to do one.

I never thought the day would happen. The brand new BlackBerry WebKit browser has been exploited in a drive-by-download attack at the Pwn2Own contest this year. Three hackers, Vincenzo Iozzo, Willem Pinckaers and Ralf Philipp Weinmann, used a combination of an information disclosure bug and a integer overflow flaw to break into a BlackBerry Torch and steal the contact list and the image database. These are the same guys that won last year for hacking the iPhone.

The hack was done on a BlackBerry Torch 9800 running a much older OS 6.0.0.246 but the security researchers say it also works against the latest OS versions. Kind of scary right? The WebKit browser is one of RIM’s first forays into Open Source software on the BlackBerry and this is one of the harder security problems with open source. What is really impressive is that they managed to get past the browser and into the Java virtual machine to extract information. They used the information leakage bug to see parts of the device memory to figure out how to exploit the device.

According to ZDNet, RIM’s security response team was on hand while the hack was going on and their director of security response, Adrian Stone, said he would work to confirm if the vulnerability still exists in the latest OS. Stone had this to say to ZDNet: “It happens. It’s not what you want but there’s no such thing as zero code defects.”

I agree with Stone but it is pretty crazy that the BlackBerry browser was exploited and had no security beyond that. This seems to point to an issue of the BlackBerry having security by obscurity since not many people know the inner workings on the BlackBerry Java virtual machine behind the app layer.

Check out more details on the exploit over at ZDNet. My mind is still reeling from the news and I expect we will be hearing an announcement from RIM soon…

Security is not even a thought in the consumer market… If the most popular phone on the market could be hacked for every bit of information on the phone in 2 seconds by any random user easily, nobody would care.

yeah well in the end we all have been complaining for the last few years about the crappy old browser and now that we have something that is better i guess you can’t have it all you have to compromise something and this is the case like you said open source is out there for anyone to thinker with it. I really wasn’t expecting this to happen thats for sure.